https://thehackernews.com/2019/09/chrome-dns-over-https.html
DNS check over HTTPS? From a personal security standpoint, I like this idea. No more plaintext advertising of where I want to go. ;D
From an enterprise security standpoint, ugh. :-\ If I'm trying to block DNS requests to certain sites, this goes around that. I'm sure we're not that far away from this being utilized as a data exfiltration method.
PsiXBot malware upgraded with Google DNS over HTTPS, sexploitation kit
https://www.zdnet.com/article/psixbot-malware-upgraded-with-google-dns-over-https-sexploitation-kit/#ftag=RSSbaffb68
Block it with NGFW, lock down SOE with GP and no admin rights, or live with it
With privacy being more and more important a lot of protocols are going to end up hidden to network monitoring. You can SSL intercept some things, but many are doing client auth, and/or certificate pinning. Really at this point you need to go to the endpoint, and protect it. For stuff you can't put agents on you need to proxy, and restrict access as much as possible. You should do that for agented systems too really.
-Otanx
It's not just protecting the endpoint, it's also protecting the data in motion. I'd go with the lockdown at the firewall and proxy, as a botnet client trying to find its C2 server with DoH is unacceptable in my view.